Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 535996 - mkfs.ext4 revealing blkid policy issues
Summary: mkfs.ext4 revealing blkid policy issues
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Jason Zaman
URL:
Whiteboard: sec-policy r6
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-08 08:43 UTC by Eric Gisse
Modified: 2015-07-03 16:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Gisse 2015-01-08 08:43:39 UTC 
Formatting a new filesystem with ext4 is revealing an issue with util-linux's blkid.

# mkfs.ext4 -m 0 /dev/mapper/crypt-squid
mke2fs 1.42.12 (29-Aug-2014)
Creating filesystem with 131071488 4k blocks and 32768000 inodes
Filesystem UUID: 8f2febaa-42cd-4688-944c-7b5e9924bb15
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
        4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 
        102400000

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done     


--->

Jan  8 02:25:59 testbed kernel: [31462.646228] audit: type=1400 audit(1420705559.895:1351): avc:  denied  { read } for  pid=18595 comm="mkfs.ext4" name="blkid.tab" dev="tmpfs" ino=5441676 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1
Jan  8 02:25:59 testbed kernel: [31462.646255] audit: type=1400 audit(1420705559.895:1352): avc:  denied  { open } for  pid=18595 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=5441676 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1
Jan  8 02:25:59 testbed kernel: [31462.646274] audit: type=1400 audit(1420705559.895:1353): avc:  denied  { getattr } for  pid=18595 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=5441676 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1
Jan  8 02:26:00 testbed kernel: [31462.847423] audit: type=1400 audit(1420705560.096:1354): avc:  denied  { write } for  pid=18595 comm="mkfs.ext4" name="blkid.tab" dev="tmpfs" ino=5441676 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1
Jan  8 02:26:00 testbed kernel: [31462.847464] audit: type=1400 audit(1420705560.096:1355): avc:  denied  { write } for  pid=18595 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=370936 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=dir permissive=1
Jan  8 02:26:00 testbed kernel: [31462.847480] audit: type=1400 audit(1420705560.096:1356): avc:  denied  { add_name } for  pid=18595 comm="mkfs.ext4" name="blkid.tab-ZaM0Am" ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=dir permissive=1
Jan  8 02:26:00 testbed kernel: [31462.847606] audit: type=1400 audit(1420705560.096:1357): avc:  denied  { create } for  pid=18595 comm="mkfs.ext4" name="blkid.tab-ZaM0Am" ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1
Jan  8 02:26:00 testbed kernel: [31462.847733] audit: type=1400 audit(1420705560.096:1358): avc:  denied  { setattr } for  pid=18595 comm="mkfs.ext4" name="blkid.tab-ZaM0Am" dev="tmpfs" ino=12040320 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1
Jan  8 02:26:00 testbed kernel: [31462.847925] audit: type=1400 audit(1420705560.097:1359): avc:  denied  { remove_name } for  pid=18595 comm="mkfs.ext4" name="blkid.tab.old" dev="tmpfs" ino=5439904 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=dir permissive=1
Jan  8 02:26:00 testbed kernel: [31462.847941] audit: type=1400 audit(1420705560.097:1360): avc:  denied  { unlink } for  pid=18595 comm="mkfs.ext4" name="blkid.tab.old" dev="tmpfs" ino=5439904 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1


The denial spew summarized is that when you run mkfs.ext4, it loads up /sbin/blkid (from sys-apps/util-linux) in the background.

I am somewhat fuzzy as to the reason for this, but my best guesstimate is that mke2fs uses this tool for various things like UUID determination, whether a block device is formatted, whatever.

When mke2fs runs blkid, it generates output in /var/run/blkid. However this output is more in the sense of a temp file rather than an actual lock/pid file.

I am of two minds with this.

On one hand, fixing this so that it has permission to manage junk in /run/blkid is relatively straight forward and safe.

On the other hand, it should not be using /run as a standin for /tmp. 

I'm leaning towards more 'yelling for upstream to fix this' rather than 'adjust selinux to support bad application choices'.
Comment 1 Jason Zaman gentoo-dev 2015-04-13 16:01:56 UTC 
I decided to send this upstream. i made a filetrans for fsadm_run_t. I assume other fsadm tools will use /run too since everything seems to be migrating there.
Comment 2 Jason Zaman gentoo-dev 2015-04-22 21:48:09 UTC 
in git, will be in -r6
Comment 3 Jason Zaman gentoo-dev 2015-06-05 16:25:23 UTC 
r6 policy is in ~arch
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2015-07-03 16:23:18 UTC 
Now stable